[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1106526: nmu: multiple binNMUs to fix build reproducibility

On 2025-06-01 13:42, Sebastian Ramacher wrote:
> On 2025-05-25 16:12:51 +0200, Aurelien Jarno wrote:
> > Package: release.debian.org
> > Severity: normal
> > X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
> > User: release.debian.org@packages.debian.org
> > Usertags: binnmu
> > 
> > Dear release team,
> > 
> > Reproducible builds are based on the assumption that the build date is
> > always newer than the latest changelog entry.
> > 
> > Unfortunately some source packages recently got uploaded from a computer
> > with the wrong time, causing the binary packages in the archive to not
> > be reproducible, as this can be checked on reproduce.debian.net. They
> > however appear as reproducible on tests.reproducible-builds.org as
> > instead of comparing a new build to the version in the archive, it does
> > two new builds and check they matches.
> 
> This sounds quite fragile. Why would that matter?

Essentially the reproducibility with regard to the files timestamp is 
handled at the dpkg level by calling tar with the --clamp-mtime option, 
using the date of the latest changelog entry.

This approach allows packages to ship files with timestamps in the past, 
but on the other hand prevents capturing the actual build time in the 
metadata.  But that only works correctly if the build occurs after the 
date in the latest changelog entry, otherwise the date is not clamped, 
and the actual build time is captured.

An alternative would be to set the timestamp of all files in the 
package to the latest changelog entry, but that would break many things 
as timestamps are often used as metadata (e.g. to determine freshness of 
data).

> > After doing a full check of the testing suite, I have found that this
> > problem actually existed for other packages. Here is a list of binNMUs
> > to fix many of them:
> > 
> > nmu baobab_48.0-2 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu clapper_0.8.0-2 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu deja-dup_45.2-3 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu five-or-more_1:48.1-2 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-2048_3.38.2-5 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-boxes_48.0-3 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-builder_48.0-2 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-calculator_1:48.1-2 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-calendar_48.1-2 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-clocks_48.0-2 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-commander_1.18.2-2 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-connections_48.0-2 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-console_48.0.1-2 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-contacts_48.0-2 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-disk-utility_46.1-2 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-font-viewer_48.0-2 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-klotski_1:3.38.2-4 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-mahjongg_1:48.1-2 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-mines_1:48.1-2 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-multi-writer_3.32.1-4 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu gnome-power-manager_43.0-4 . ANY . -m 'Rebuild to fix reproducibility'
> > nmu tiptop_2.3.1-5 . amd64 armel armhf i386 mips64el ppc64el s390x m68k powerpc ppc64 sh4 sparc64 x32 . -m 'Rebuild to fix reproducibility'
> 
> Scheduled anyway.

Thanks!

Regards
Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                     http://aurel32.net
Reply to: